From owner-freebsd-security Thu May 20 8:59:40 1999 Delivered-To: freebsd-security@freebsd.org Received: from idea.co.uk (ultra2.idea.co.uk [194.36.20.11]) by hub.freebsd.org (Postfix) with ESMTP id 287E114D04 for ; Thu, 20 May 1999 08:58:15 -0700 (PDT) (envelope-from kiril@idea.co.uk) Received: (from kiril@localhost) by idea.co.uk (8.9.2/8.9.2) id QAA25977; Thu, 20 May 1999 16:42:26 +0100 (BST) From: Kiril Mitev Message-Id: <199905201542.QAA25977@idea.co.uk> Subject: Re: secure deletion To: patrick@mindstep.com (Patrick Bihan-Faou) Date: Thu, 20 May 1999 16:42:26 +0100 (BST) Cc: darrenr@reed.wattle.id.au, gsutter@pobox.com, wes@softweyr.com, imp@harmony.village.org, ilmar@ints.ru, posix1e@cyrus.watson.org, freebsd-security@FreeBSD.ORG In-Reply-To: <19990520145800.B5E31150AF@hub.freebsd.org> from "Patrick Bihan-Faou" at May 20, 99 10:57:52 am X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > In some email I received, Darren Reed wrote: > > > I don't think you understand the problem properly if you think it can be > > coded "correctly" - what you're proposing just isn't possible via software > > where one overwrite is pretty much as good as multiple. > > I agree with that last statement. An implementation on FreeBSD probably does > not need to write multiple times to the disk. The added security in that > case will not matter. What I think is the issue is how much security people > are seeking. You can see several levels: > > - none: files are deleted the way they are now, and it is fine. The > mechanism provided by FreeBSD when reallocating the disk blocks are good > enough to ensure the level of confidentiality we are looking after. > > - basic: what the original poster was suggesting: writing garbage data (be > it zero or some pattern) over the deleted chunks. The clear advantage of > that is that if you try to recover the freed blocks on a system comparable > to the original system, you will probably not get anything useful out of the > disk. > > - thorough: what government agencies do: physically destroy the disk. But > this is not really practical when you just intend to erase a single file... > > In defense of the "basic" mechanism, I can see people getting worried that > by just running some program on a disk people can recover data that they > would wish gone for good. I am not talking about an organization that could > use all the funky hardware that would be required to fin the remanence of > the magnetic trace left by the data that was on the disk 20 writes ago, but > just somebody pulling the disk into another system on running recovery > programs. > > I don't think the original poster was considering applications with very > tight security requirements (like the government may have in some cases). > But more protection against "casual" hackers (if a such thing exists). well, not to split hairs, but if you (1) ARE worried about your disk being put into another machine to be read by recovery tools, -> then, you are probably worried about physical access to hardware -> then you (theoretically) should be worried about locking up your hardware, rather than wiping your disk :-0 ==== (1) you the generic user, not you Patrick > Just my 2 cents, > > > Have a nice day. > > > Patrick. > > -- > Et les Shadoks pompaient... > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message